Convert partial setup to secondary setup
If you initially set up a partial zone on Cloudflare, you can later convert it to use a secondary setup.
- 
Meaning you have one or more subdomains ( sub.example.com) added to Cloudflare as their own zone, separate from your apex domain (example.com). ↩
This page will guide you through this conversion using export and import and API calls.
Make sure you consider the following:
- Proxying traffic with secondary zones requires a setting that is not turned on by default. Refer to Secondary DNS override to learn more. The steps below include enabling this setting.
- There are a few options for DNSSEC with incoming zone transfers. If you want to use DNSSEC, plan for which option you will configure and confirm that your other DNS provider(s) support the setup.
- You can prepare SSL/TLS in advance by either ordering an advanced certificate or uploading a custom certificate. You should confirm that the certificate covers all your proxied hostnames and that the status of your SSL certificate ↗ is Active.
- Export a zone file from the authoritative DNS provider you were using with your partial (CNAME) setup.
- Edit the zone file to remove any occurrences of the cdn.cloudflare.netsuffix.
- If the CNAMEtarget is only appending the Cloudflare suffix to the same hostname at which it is created, replace it by the records on the Cloudflare partial zone.
Example
 Original record in authoritative DNS provider:
| Type | Name | Content | 
|---|---|---|
| CNAME | www.example.com | www.example.com.cdn.cloudflare.net | 
Records in the Cloudflare partial zone:
| Type | Name | Content | 
|---|---|---|
| A | www.example.com | <IPv4> | 
| A | www.example.com | <IPv4> | 
Final records adjusted in the zone file:
| Type | Name | Content | 
|---|---|---|
| A | www.example.com | <IPv4> | 
| A | www.example.com | <IPv4> | 
- If the CNAMErecord points to a different hostname, keep this record but remove thecdn.cloudflare.netsuffix, and also bring the records from the Cloudflare partial zone.
Example
 Original record in authoritative DNS provider:
| Type | Name | Content | 
|---|---|---|
| CNAME | www.example.com | other-hostname.example.com.cdn.cloudflare.net | 
Records in the Cloudflare partial zone:
| Type | Name | Content | 
|---|---|---|
| A | other-hostname.example.com | <IPv4> | 
| A | other-hostname.example.com | <IPv4> | 
Final records adjusted in the zone file:
| Type | Name | Content | 
|---|---|---|
| CNAME | www.example.com | other-hostname.example.com | 
| A | other-hostname.example.com | <IPv4> | 
| A | other-hostname.example.com | <IPv4> | 
- 
Use the Import DNS Records endpoint with a properly formatted zone file to import the records into your partial zone. The zone file size limit is 256 KiB (262144 bytes). Existing and already proxied records will not be overwritten by the import.
- 
Use the Update DNS Settings endpoint with secondary_overridesset totrue, to enable Secondary DNS Override.
- 
Use the Edit Zone endpoint with typeset tosecondary, to convert the zone type.You can verify if it answers as expected by querying the new assigned secondary nameservers. You can find your nameservers in DNS > Records ↗, and they should follow a format like ns0123.secondary.cloudflare.com.
# Replace ns0123 with your actual Cloudflare nameserversdig example.com @ns0123.secondary.cloudflare.com- At your registrar, update your nameservers to point to the Cloudflare nameservers.
Once the time to live (TTL) of previous NS records is expired and this information is evicted from resolvers' cache, your zone will be properly delegated to Cloudflare. In order to update DNS records, you must configure zone transfers in the next steps.
- Remove all references to cdn.cloudflare.netfrom your primary DNS provider. You can do this by importing the same zone file you prepared in Step 1 onto your primary zone.
- Enable outgoing zone transfers at your primary provider and create a peer DNS server on your Cloudflare account.
To create a peer server using the dashboard:
- Log in to the Cloudflare dashboard ↗ and select your account.
- Go to Manage Account > Configurations.
- Select DNS Zone Transfers.
- For Peer DNS servers, select Create.
- Enter the following information, paying particular attention to:
- IP: Specifies where Cloudflare sends transfer requests to.
- Port: Specifies the IP Port for the transfer IP.
- Enable incremental (IXFR) zone transfers: Specifies if Cloudflare sends IXFR requests in addition to the default AXFR requests.
- Link an existing TSIG: If desired, link the TSIG you previously created.
 
- Select Create.
To create a peer DNS server using the API, send a POST request.
- Link your Cloudflare zone to the peer DNS server you just created.
- Go to DNS > Records.
- Under DNS Zone Transfers, select Manage linked peers.
- Choose a value for Zone refresh, which controls the number of seconds between zone updates from your primary DNS server.
- Select the peer server you previously created. If needed, you can link more than one peer server to a zone.
- Select Save to confirm.
Use the Update Secondary Zone Configuration endpoint to link your Cloudflare zone to the peer DNS server.
- In DNS > Settings ↗, confirm the linked peer is listed under DNS Zone Transfers, and select Initiate zone transfer. Alternatively, you can use the Force AXFR endpoint.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark